All Apps and Add-ons

"Forecast Time Series" assistant returning "Error Code 1"

Path Finder

I am trying to use the Forecast Time Series assistant of the Machine Learning Toolkit, and it's returning the error External search command 'predict' returned error code 1. (When I try copying the SPL or using the "Open in Search" option, I get the same error.)

The search I'm entering is source="*" date_year="2017", and then I'm asking it to predict the date_year field, so I know nothing will have a null or non-numeric value. (Of course, they'll all have the same value - 2017 - but I can't think of why that'd be the issue.) And when looking at the raw data, they all have valid timestamps in the _time field.

I can't find any information about error code 1 either in the Splunk documentation or on this site - does anyone have experience with this issue? I'm at a loss for what I should do - any suggestions would be greatly appreciated.

Thank you!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Predict command can be used to only predict one or more set of time-series data. Which implies you should apply them on fields generated through transforming command (with timestamp obviously), not on raw events.

In simple words predict command usually will require a timechart command first (similar results can be obtained via stats or chart command as well). Refer to Splunk documentation which clearly mentions this for usage of predict command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

source="*" date_year="2017"
| timechart count
| predict count

Or

source="*" date_year="2017"
| bin span=1mon _time
| timechart count by _time
| predict count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Predict command can be used to only predict one or more set of time-series data. Which implies you should apply them on fields generated through transforming command (with timestamp obviously), not on raw events.

In simple words predict command usually will require a timechart command first (similar results can be obtained via stats or chart command as well). Refer to Splunk documentation which clearly mentions this for usage of predict command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Predict

source="*" date_year="2017"
| timechart count
| predict count

Or

source="*" date_year="2017"
| bin span=1mon _time
| timechart count by _time
| predict count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Path Finder

Thank you, niketnilay! I didn't realize the Toolkit assistants also required the timechart command - when I added that, it worked.

A question, though - if I want it to predict a field (say, have it predict date_year instead of count), do I always have to use a stats function (eg. avg(date_year) or max(date_year)) with the timechart command?

0 Karma

SplunkTrust
SplunkTrust

Can you please elaborate on what you need with prediction of date_year? Prediction in literal sense also implies to predict a value in time. I am sorry but I am unable to understand what you imply by predicting date_year. If you can add some example of your use case that would be great.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Path Finder

I don't have a particular use case here - I'm just playing with the Toolkit to test its various capabilities 🙂 I will keep messing with it, now that it actually works (thank you!), and see if I can answer my own question.

0 Karma

SplunkTrust
SplunkTrust

Machine Learning Toolkit has the Showcase App with a lot of examples specific to realtime Use Cases like prediction network traffic, disk failure etc. It also has link to Youtube video which explains each one of them. Check them out unless you have already done the same. (PS: ML Toolkit has its own documentation as well which you could check out)

You can also get the queries which are running behind the scene to come up with your own queries. Do read predict command documentation as Forecast Time series is based on the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma